From: Thijs K. <ki...@sq...> - 2008-08-22 07:44:38
|
On Friday 22 August 2008 09:17, Paul Lesniewski wrote: > It's your commit, so maybe you can help. > > http://squirrelmail.svn.sourceforge.net/viewvc/squirrelmail/branches/SM-1_4 >-STABLE/squirrelmail/functions/mime.php?view=log#rev12370 > > If this code is meant to stop "request forgeries through included > images", I'd like to know more about what this means, since, as I > noted, it wouldn't be hard for an attacker to substitute a dynamically > executed script for an "image" file on the target server. Or perhaps > the file extension code is not specifically what fixed that actual > issue and is only a side effect? The patch is actually by Marc. He had some discussion about it with Tomas that I could find. As far as I can distill from the mails, but it's a bit of guesswork: - IE interprets JavaScript when served within an "image" (that is, something linked from <img src="">. - Apparently (?) it doesn't do this when the file has a regular image extension, it then processes it as an image. A typical Windows way of working I guess. I'm not sure that that is what it's supposed to fix as the mails aren't too clear on that. I also don't use IE so can't easily verify this theory. You could argue that pressing View Unsafe Images leaves you on your own which is sort of true, however, my perception of the function was to prevent remote tracking, and enabling it would not directly open you up to xss. cheers, Thijs |